Seychelles Revenue Commission Practice Statement PS CM 2009/02

Transcription

1 Seychelles Revenue Commission Practice Statement This Corporate Management Practice Statement is issued under the authority of the Revenue Commissioner (Commissioner) of the Seychelles Revenue Commission (SRC). Corporate Management Practice Statements are endorsed corporate policy and must be followed by all SRC employees. In circumstances where the anticipated impact of this Practice Statement is likely to result in unintended consequences, matters are to be referred to the Commissioner SRC. SUBJECT: This is a direction for the Proper Use of Information and Communication Technology (ICT) Facilities. PURPOSE: This practice statement describes the conditions under which SRC ICT facilities may be used and directs certain action by authorised ICT facilities users. Noncompliance could amount to a breach of the Code of Conduct. SUMMARY OF MAIN POINTS This practice statement: sets out what constitutes unacceptable use of ICT facilities within the SRC; sets out what constitutes acceptable occasional personal ITC use within the SRC; directs employees and other persons not to engage in unacceptable use of ICT facilities within the SRC; directs employees and other persons to report any perceived misuse of ICT facilities; and sets out how breaches of this Practice Statement will be dealt with.

2 STATEMENT Background 1. ICT facilities are provided by the SRC for the purpose of enabling authorised SRC users to conduct official SRC business. 2. Five key principles govern the provision of SRC ICT facilities: ICT facilities are provided for the conduct of official SRC business; ICT facilities are to be treated as the property of the SRC; any data or material entered onto, stored on or transmitted using ICT facilities is subject to inspection by the SRC and may be removed by the SRC IT section head; the use of ICT facilities must comply with all relevant laws of the Republic of Seychelles, SRC policies and procedures and must uphold the department s Code of Conduct; and ICT facilities users will be held personally accountable for any unauthorised use of ICT facilities. Direction: Authorised use of information and communication technology 3. Authorised SRC users are directed not to make unacceptable use of ICT facilities. Unacceptable uses are detailed in paragraph 13 of this Practice Statement. 4. The SRC will allow occasional personal use of ICT facilities provided that the effect on ICT facilities is negligible. Guidance on occasional personal use is provided in paragraphs 14 to 17 inclusive of this Practice Statement. EXPLANATION Definitions 5. In this practice statement ICT facilities include: all electronic hardware, firmware, software, computers (desktop and laptop), photocopiers, facsimile machines, printers, personal digital assistants, Internet connections, internal and external electronic mail connections, telephones, voice mail and data on any computer or peripheral device or related storage device Page 2 of 11

3 such as floppy disks, CD ROMs and tape cartridges. This list is for illustrative purposes only and does not limit the application of this practice statement; and an item whether owned, leased, managed, or operated by the SRC and includes items supplied by an external service provider for SRC use. 6. In this practice statement authorised ICT facilities users includes: employees of the SRC; employees of another Department or agency who are performing duties on behalf of the SRC (for example, people on secondment to the SRC); employees of other Department or agencies who have access to SRC ICT facilities to perform work on behalf of that department or agency; and persons performing a service under a contract to the SRC. 7. In this practice statement sexually oriented material includes but is not limited to images, text files, data or other material that: is obscene or indecent or whose main focus is pornography, partial nudity, full nudity or sexual acts. 8. In this practice statement offensive material includes but is not limited to images, text files, data or other material that: offends against community standards and includes images, data or other material that is humiliating, vulgar, discriminatory or racially biased against any person or group of persons; or portrays violence towards people, animals or destruction of property. 9. In this practice statement discriminatory material means material, including any images, text files or data, the display of which in the workplace would be unlawful according to any relevant law enacted in the Republic of Seychelles. 10. Advice on discriminatory material and the above mentioned legislation can, in the first instance, be obtained from the Commissioner secretariat. 11. In this practice statement inappropriate material includes but is not limited to images, text files, data or other material that: Page 3 of 11

4 concerns terrorism, espionage, bomb or incendiary device making, theft or illegal drug use or similar material; is defamatory, abusive, or likely to promote hatred or incite violence; is harmful to the national interests of the Republic of Seychelles or its security; or may harass, intimidate, threaten or offend another person. Direction: Unacceptable use of ICT Facilities 12. Authorised ICT facilities users are directed not to make unacceptable use of SRC ICT facilities. 13. Unacceptable use of SRC ICT facilities includes, but is not limited to: any use in breach of any law legislated in the Republic of Seychelles; any use in breach of the SRC Code of Conduct; distributing material that is harmful to the reputation or integrity of the Republic of Seychelles or the SRC; distributing material that conflicts with the interests of the Republic of Seychelles or SRC; breaching intellectual property rights, including copyright on software; interfering with the authorised use of ICT facilities by others, for example, using the user identification and authenticator (for example, a password) of another authorised user or intercepting another person's communications or without permission from that individual; intentionally disrupting the operation of ICT facilities by any means whatsoever; intentionally spreading malicious software (for example, viruses) within ICT facilities; gaining unauthorised access to any text files, data or material entered onto, stored on or transmitted using ICT facilities including changing that data or material in any way; Page 4 of 11

5 using ICT facilities for private commercial and or non-government commercial activities; using ICT facilities for private activities such as on-line gambling, on-line share trading or political activity; creating, intentionally accessing, possessing, soliciting or distributing any discriminatory, offensive, sexually oriented or inappropriate material; distributing chain letters or other bulk that is not authorised or workrelated; distributing anonymously, using a false identity; distributing communications or that disclose personal information of another without proper authorisation; intentionally visiting, or remaining in, Internet sites containing discriminatory, offensive, sexually oriented or inappropriate material; the dissemination of union material unless prior approval has been obtained from the Commissioner; using ICT facilities to conduct business for 'not for profit' organisations or charities unless prior approval has been received from the Commissioner; and installing, storing or disseminating any material including an inappropriate image, video or executable files (such as games) unless prior approval is obtained from the Commissioner. Occasional personal use 14. The SRC recognises that employees will occasionally wish to use ICT facilities for personal purposes. The occasional personal use of ICT facilities is a discretionary privilege granted by the Commissioner, not a condition of service. The Commissioner reserves the right to vary or withdraw this permission from all or any authorised ICT facilities user at any time. 15. In seeking to maintain a balance between the needs of the SRC and employees, the SRC will accept occasional personal use of ICT facilities provided that: it does not constitute an unacceptable use as detailed above; and Page 5 of 11

6 its effect on the SRC is negligible. 16. In determining whether an occasional personal use has a negligible effect on the SRC, the SRC will consider: the time spent in composing, reading and reviewing documents; time spent in browsing the Internet, especially when following up false leads or distracting Internet sites; the use of facsimile and printer resources such as paper, toner and maintenance; the use of other resources (server storage space, network traffic, etc.); the interruption to the flow and pattern of SRC work; occupational health matters related to excessive time spent at computer display screens and keyboards; the effect on the work of colleagues, particularly how colleagues may feel about receiving unsolicited s; the risk of viruses, worms, etc. being transferred onto SRC ICT facilities; and the risk of leaking SRC information by employees visiting Internet sites which may interrogate the browsing workstation. 17. The extent to which the usage intrudes into the employee s ability to fulfil their duties will be a consideration as to whether such usage is reasonable. Advice to other Agency Heads 18. It should be noted that details of inappropriate communications between employees of the SRC and other public service agencies will be provided to other agencies for their considered action under their respective Codes of Conduct. Further Advice on Acceptable and Unacceptable Use 19. Further information and advice on the interpretation of this practice statement can be obtained from the Commissioner s secretariat. Advice should always be sought in cases where there is doubt as to whether a particular use is unacceptable or not. See paragraph 24 of this practice statement for contact details. Page 6 of 11

7 Direction: ICT Responsibilities for SRC employees 20. All authorised ICT facilities users are responsible for the content of messages sent from their account and are directed to: delete all unacceptable material from their account as soon as practical; actively discourage the use and circulation of 'junk' mail (such as advertising material not connected to the business of the SRC) and chain letters; not alter or dismantle equipment without proper authority; maintain security by securing their workstation or laptop from improper use by regularly changing their password, not disclosing their password onto other people, activating secure screen-savers when their computer is not in use for short periods of time (15 minutes or more) and logging off computers at the end of the working day; and notify their supervisor, manager or Director of any perceived misuse of IT facilities. Direction: SRC employees supervising contractors 21. SRC employees responsible for contractors who perform services for the SRC are directed to ensure that: this corporate management practice statement is brought to the attention of the contractor and their employees; contract documentation includes a requirement to follow the terms of this practice statement; and they notify their supervisor, manager or Director of any perceived misuse of ICT facilities by contractors. See paragraph 24 of this practice statement for contact details. Page 7 of 11

8 Direction: SRC Contractors 22. Contractors who perform services for the SRC and who are authorised ICT facilities users are directed to: follow the requirements of this practice statement; meet the expectations for 'All Employees' as outlined above; and notify their SRC contract manager of any perceived misuse of IT facilities. See paragraph 24 of this practice statement for contact details. Supervisors, Managers and Directors 23. SRC supervisors, managers and Directors are directed to ensure: they model the behaviour expected of all SRC employees; that SRC employees for whom they are responsible follow this practice statement; that SRC contractors working in their area are made aware of and follow this practice statement; they immediately follow up on suspected cases of the misuse of ICT facilities; and they notify their superior of any perceived misuse of ICT Services by contractors or employees. See paragraph 24 of this practice statement for contact details. Complaints and Investigation 24. Instances of unacceptable use of SRC IT facilities can be reported to: supervisors, managers or the Commissioner; a member of the SRC IT facilities management; Phone: Page 8 of 11

9 Sanctions for non-compliance 25. A breach of this practice statement may result in criminal prosecution and/or action under the relevant legislation enacted in the Republic of Seychelles. 26. Disciplinary action instituted under these provisions can result in: termination of employment; reduction in classification; re-assignment of duties; reduction in salary; deductions from salary, by way of fine; a reprimand. 27. In considering the appropriate sanction for non-compliance with this practice statement, managers must consult with the Commissioner. Monitoring of ICT facilities Privacy regarding the permitted use of IT facilities 28. Given that IT facilities are SRC property, users with access to IT facilities should expect that private material stored or transmitted (if any) will be subject to scrutiny. 29. Privacy in respect of use of IT facilities is limited: No user should assume that personal or work-related material held on IT facilities is guaranteed to be protected as his or her own private and confidential property. Any data or material created, captured, transmitted or stored using IT facilities may be viewed by authorised personnel as part of the normal monitoring process. Users will not necessarily be notified that an item has been opened and inspected. Page 9 of 11

10 The SRC may remove any unauthorised material without notice and may remove even authorised material but, in that case, will take reasonable steps to give advance notice to users. The SRC may disclose the contents of messages, logs or files stored on IT facilities to appropriate third parties and may use any material where misconduct or criminal action is contemplated. Monitoring and security 30. The SRC runs a range of sophisticated intrusion detection, monitoring and protection tools that log and check IT use, activity and security. For example: addresses - senders and recipients - are logged, along with the transmission time. the content of messages (even deleted items) is stored on mail servers. Monitoring may be undertaken on either a regular or ad-hoc basis by system administrators. Monitoring and/or review of historical holdings may also be undertaken by the Commissioner. web server logs record information on Internet sites visited. the content of files held under an individual user name may be accessed by any Director, IT auditor, the Commissioner or any other person authorised by the Commissioner. filtering systems check incoming material for unacceptable content and block entry of material judged likely to be of an unauthorised nature. 31. While this activity is performed primarily to ensure business continuity and to minimise damage to business by preventing or minimising the effect of security incidents or misuse, these checks will also be used to detect any unauthorised personal use. 32. The SRC reserves the right to access, audit and review IT facilities, at any time. This includes any data or material that has been stored for personal use. 33. SRC IT Section is authorised to: revoke user access to an IT facility; remove any unacceptable material, with or without notice; and Page 10 of 11

11 refer suspected breaches of either the Code of Conduct or a law enacted in the Republic of Seychelles for investigation. 34. Employees will not necessarily be informed prior to these authorised inspections taking place. Breaches 35. Suspected breaches of this policy may be referred to any of the following: The Commissioner; SRC IT Section; Directors. Conformance 36. Conformance with this practice statement will be achieved by relying on reports from the SRC IT facilities management on incidences of breaches of this policy. 37. Further advice, in the first instance, can also be obtained from SRC IT facilities management. See paragraph 24 of this practice statement for contact details. APPROVAL Approved by:.. René Nusse Revenue Commissioner Seychelles Revenue Commission Page 11 of 11